This configuration has been in use in .gitlab-ci.yml scripts for a while
now and has proven reliable. This is a "low hanging fruit" improvement.
It provides an extra layer of protection for when their are apt vulns. And
it makes it much harder to profile what a server/laptop is doing based on
the internet traffic. The network observer will no longer be able to see
which packages are being downloaded since apt uses HTTP pipelining so size
attacks are not really possible. And HTTPS hides the URLs, filenames,
download contents, etc.
This is not user-configurable, so it should not be setup to be. This
process is only tested on the one basebox, and devs can just edit
Vagrantfile directly to test other base boxes.
# Conflicts:
# makebuildserver
The official Debian Vagrant box seems to be a "batteries included" kind of
thing. The buildserver should be as small as possible, so this removes all
the extraneous packages I could find in the Vagrant basebox.
This script was overwriting the provisioning that `vagrant package` does
already, and breaking `vagrant ssh`. It should have been removed in !1099closes#990
fdroid-bootstrap-buildserver#12
!1012!1099c6f5956537
Adding /bullseye-backports confuses things apparently. Without it, apt
will look in bullseye-backports automatically, including for deps. But it
will not look for deps in bullseye-backports if /bullseye-backports is used.
!1205
Vagrant uses the "insecure private key" to establish the first SSH
connection to a new VM based on a clean public box. In theory, the
`vagrant package` command should do that automatically. This process
is still using custom code instead of `vagrant package`, hence this
script.
This public key can be generated on any Vagrant install using:
ssh-keygen -y -f ~/.vagrant.d/insecure_private_key
https://www.vagrantup.com/docs/vagrantfile/ssh_settings#config-ssh-private_key_path
fdroid-bootstrap-buildserver#12
!1012!1099
This is commented out by default on all OpenJDK packages since Java 8.
https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1012?diff_id=263085985#note_726457435
root@sid:/# grep Accessibility /etc/java-*-openjdk/accessibility.properties
/etc/java-11-openjdk/accessibility.properties:#assistive_technologies=org.GNOME.Accessibility.AtkWrapper
/etc/java-17-openjdk/accessibility.properties:#assistive_technologies=org.GNOME.Accessibility.AtkWrapper
/etc/java-18-openjdk/accessibility.properties:#assistive_technologies=org.GNOME.Accessibility.AtkWrapper
/etc/java-8-openjdk/accessibility.properties:assistive_technologies=org.GNOME.Accessibility.AtkWrapper
